[Bug 499243] New: Net::DBus::Object does not correctly validate requested method name to invoke

bugzilla at redhat.com bugzilla at redhat.com
Tue May 5 18:55:17 UTC 2009 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.

Summary: Net::DBus::Object does not correctly validate requested method name to invoke

https://bugzilla.redhat.com/show_bug.cgi?id=499243

           Summary: Net::DBus::Object does not correctly validate
                    requested method name to invoke
           Product: Fedora
           Version: rawhide
          Platform: All
        OS/Version: Linux
            Status: NEW
          Keywords: Security
          Severity: medium
          Priority: low
         Component: perl-Net-DBus
        AssignedTo: cweyl at alumni.drew.edu
        ReportedBy: berrange at redhat.com
         QAContact: extras-qa at fedoraproject.org
                CC: berrange at redhat.com, cweyl at alumni.drew.edu,
                    fedora-perl-devel-list at redhat.com
    Classification: Fedora
    Target Release: ---


Description of problem:
There is a security issue in the implementation of Net::DBus::Object.

In the place where it dispatches RPC calls, it simply does

 $self->can($method_name)

so, it allows the dbus client to invoke any method that the service side object
implements. Many service implementors would like ability to restrict this to
just allow methods they explicitly export in the introspection XML data. 

Furthermore, the current check also allows direct invocation of several
internal impl methods of Net::DBus::Object itself. 

This allows a remote client to do a denial of service by calling 'disconnect'
which unregisters the object from the bus. It also allows the remote client to
emit signals on the object which others clients may then act on. 

For the dbus 'system' bus, the service can be running as root, and client as an
unprivileged user, so this flaw may allow a client to run things they
shouldn't. While impact of being able to emit signals / invoke improper methods
*may* be limited by the need to have ACLs registered with dbus system bus
instance, the degree of protection depends on how well the app author wrote
their ACLs. So one can't rely on this.

For the dbus 'session' bus, everything is running as unprivileged user, so
impact is reasonably low, denial of service.

This issue is already public via upstream bug report

 https://rt.cpan.org/Ticket/Display.html?id=45034

And I have a patch available which should resolve it

  http://hg.berrange.com/libraries/net-dbus--devel?cs=be26112c5fdd

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run the 'examples/example-service.pl' file from source tar.gz
2. In another terminal run

$ dbus-send  --session --print-reply --dest=org.designfu.SampleService
/SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService
/SomeObject org.designfu.SampleInterface.disconnect
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService
/SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"


Actual results:
The 'disconnect' method was allowed

$ dbus-send  --session --print-reply --dest=org.designfu.SampleService
/SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
method return sender=:1.61 -> dest=:1.62 reply_serial=2
   array [
      string "Hello"
      string " from example-service.pl"
   ]
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService
/SomeObject org.designfu.SampleInterface.disconnect
method return sender=:1.61 -> dest=:1.63 reply_serial=2
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService
/SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
Error org.freedesktop.DBus.Error.UnknownMethod: Method "HelloWorld" with
signature "s" on interface "org.designfu.SampleInterface" doesn't exist


Expected results:
The 'disconnect' method should be denied

$ dbus-send  --session --print-reply --dest=org.designfu.SampleService
/SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
method return sender=:1.65 -> dest=:1.66 reply_serial=2
   array [
      string "Hello"
      string " from example-service.pl"
   ]
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService
/SomeObject org.designfu.SampleInterface.disconnect
Error org.freedesktop.DBus.Error.Failed: No such method SomeObject->disconnect
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService
/SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
method return sender=:1.65 -> dest=:1.68 reply_serial=2
   array [
      string "Hello"
      string " from example-service.pl"
   ]


Additional info:
Bug affects all Fedora releases.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the perl-devel mailing list